Cyber Insurance Premiums: A Changing Landscape of Risk Assessment

Defending against cyberattacks appears to be trending in favor of hackers as the growing number of phishing attacks trick employees into downloading malware or clicking on a malicious link. That’s why companies of every size would be well-served to improve their cybersecurity awareness training and secure an affordable cyber insurance policy.  

During the third quarter of 2022, data breaches spiked by 167 percent as more than 15 million internet users were impacted. With hackers halfway around the globe facing few, if any, consequences, online thieves have targeted American businesses with impunity. The average loss was between $120,000 and $1.24 million in 2021, and two-thirds of small businesses fell prey at least once. Despite the growing ability of hackers to penetrate networks from remote locations, recent statistics indicate not enough organizations possess adequate cyber insurance.  

• Nearly two-thirds of business leaders are not familiar with cyber insurance policies.
• More than 70 percent of decision-makers purchased cyber insurance only after getting hacked.
• Close to 40 percent are unsure what cyber insurance covers.
• Less than 20 percent of small businesses have a cyber insurance policy in place.

Upwards 69 percent of small business owners are reportedly concerned about cyberattacks. But cost continues to present an impediment, particularly for small and medium-sized businesses. Yet, entrepreneurs and other decision-makers are not necessarily investing in determined protections such as the Phishfirewall to help lower cyber insurance premiums.

How Do Insurance Companies Calculate Cyber Risk?

Cyber insurance is considered a relatively recent type of coverage with companies offering products for just over 20 years. The newness of cyber insurance hamstrings insurance corporations — to some degree — from accurately estimating risk factors. Due to a lack of historical data, recent spikes in cyberattacks prompted carriers to hike premiums.

For example, ransomware attacks result in among the highest losses to organizations. Hackers usually demand payoffs in cryptocurrency before allowing owners to access their frozen systems. Other losses include downtime, damaged digital assets, and customer losses. And insurance carriers have little choice but to align policy premiums with the following ransomware statistical data.

• In 2021, ransomware demands skyrocketed by 82 percent.
• The average payout exceeded $570,000.
• Ransomware attacks increased by 350 percent during the last four years.

Roughly 90 percent of ransomware and other malware attacks use phishing and spear phishing emails as a delivery vehicle. Based on current projections, phishing-related attacks are expected to skyrocket by as much as 400 percent in the coming years. These are all pertinent factors when an insurance company determines the risk associated with a cyberattack on an organization.

Insurance carriers typically calculate risk assessment in conjunction with how likely an enterprise is to file a claim. Given the pervasive and increasing deployment of phishing schemes, the risk of a loss rises every year. The second part of the equation involves how large of a loss will the insurer need to pay out in compensation. Again, the dollar amounts linked to ransomware attacks and other data breaches rise annually. Given the age-old logic used by insurance providers, the price of cyber insurance must follow suit.

Fewer Insurance Carriers Offering Cyber Risk Coverage

Recent reports indicate that a reduced number of insurance companies are willing to underwrite policies due to climbing attack rates and losses. The U.S. Government Accounting Office questioned whether cyber insurance would remain widely available because carriers are quickly losing their risk appetite.

“One insurer told us it opted not to insure the energy sector because energy operations can be attacked in multiple ways, and because it is concerned that energy operators do not follow robust cybersecurity protocols. Another insurer said that its appetite to provide coverage to certain industries — including electric grid operators and airlines — is limited,” according to a U.S. Government Accounting Office report to Congress. “Various sources show considerable increases in cyber insurance premium rates in the past year. For example, according to (the National Association Of Insurance Commissioners), premiums increased 29 percent in 2020, and the Council of Insurance Agents & Brokers reported a more than 34 percent increase in cyber premium rates from the third to the fourth quarter of 2021.”

The need for organizations of every size to carry cyber insurance has become a fundamental protection against losses. And savvy business professionals are looking for ways to harden their cybersecurity defenses to prevent breaches and reduce insurance premiums.

How To Achieve Cyber Insurance Risk Compliance

It’s important to understand that cyberattack losses are not restricted to the initial theft. A cybercriminal may infiltrate a system to steal valuable and sensitive information to sell on the dark web. Leveraged credit cards and drained bank accounts constitute quantifiable financial losses.

But stolen data that impacts employees, other businesses, or the reputations of people in your orbit may prompt civil lawsuits. Those losses escalate as litigation moves forwards and compensation comes due. Not to mention, failure to maintain online privacy standards could result in regulatory fines. A brute force hack is anything but simple and the best way to reduce potential losses is to follow routine insurance risk compliance requirements, such as the following.

• Multi-Factor Authentication: When users log into a system, they receive a code on a secondary device. Before being allowed into the network, they must input the security code. Multi-factor authentication has emerged as a robust deterrent because hackers are generally unable to control the secondary device.
• Disaster Recovery Protocols: Ransomware attacks are particularly costly because hackers seize control of digital assets. Without vital records and information needed to complete tasks, an organization becomes helpless. By creating a secure backup and storing it offline, companies can effectively restore their system and minimize losses.
• Zero Trust Protocols: A zero trust network policy limits every legitimate user’s access to information and applications. Each login profile sets parameters that allow the user to access areas of the system needed to complete their assignments. Should a hacker obtain a staff member’s username and password, their access is also restricted.
• Endpoint Protection: Cyber risk compliance typically requires an organization to install enterprise-level antivirus software protections as well as demonstrate programs consistently undergo patch management updates. Secure devices reduce the network’s attack surface and insurance liability risk.

Implementing these and other cybersecurity protocols reduces vulnerabilities and that, in turn, minimizes an insurance carrier’s risk. They are akin to the way installing state-of-the-art smoke detectors or a burglar alarm would reduce homeowners insurance risks and premiums. But cybersecurity experts and those who work in this insurance niche are keenly aware of the greatest risk factor — human error. Too often, valued and trusted employees are tricked into downloading malware or clicking on a malicious link sent via email.

How Can Phishfirewall Prevent Hackers from Exploiting Workers?

It seems that each year studies regarding phishing attacks produce nearly identical conclusions. Mistakes made by employees are the basis for about 1-in-20 data breaches. Supporting that conclusion, the IBM Cyber Security Intelligence Index Report indicated that “human error was a major contributing cause in 95 percent of all breaches” during 2021.

Often honest in nature, the research identifies the mistakes as unintentional acts, lapses in judgment, or the result of a lack of cybersecurity awareness training. Current cyber awareness training around phishing relies on lengthy, cumbersome training simulations and meetings, which lead to an increase in punitive action and a negative opinion of cyber training within the workforce. If your users don’t want to engage with your cyber awareness training, then your chances of a breach rise significantly.  

At Phishfirewall, we’re passionate about advancing a more intelligent, behaviorally-based, and human approach to cybersecurity awareness. By combining the power of AI, social engineering concepts, and behavioral science we’re challenging convention to create a more secure future and a smarter, cyber-savvy workforce.

Our solutions and services are built on a deep understanding of psychology and attacker methods, delivering bite-sized, user-tailored, and entertaining learning experiences to condition your workforce and ensure they are always on guard and prepared to recognize and respond to today’s sophisticated cyber threats. Our intelligent platform gives overwhelmed IT staff a smooth path to securing their organizations, reducing cyber risk, and overcoming compliance challenges with an industry beating sub 1% phish click rate within 6 months of adopting our service. A significant reduction in risk compared to our competitors’ 6-month timeframes.

We believe that phishing education should deliver quantitative results while accounting for the realities of hectic work schedules. With us, that means:

• A fully-automated,  AI managed solution that relieves the burden of training and tracking employees off of your IT team
• Engaging, positive, and personalized learning experiences that take only 60 seconds to orient valued staff members about phishing schemes
• Robust analytics and reporting that identify and track organizational breach risk by location, department, and individual users.
• Training curriculums and phishing simulation scenarios based on actual real world hacking threats being used right now

Deploying Phishfirewall into the work environment delivers the cybersecurity awareness training that companies need to harden their defenses and reduce risk. If you are an industry leader concerned about the growing number of cyberattacks and insurance premiums, visit Phishfirewall today.

‍